Cisco: Cisco® Secure PIX Firewall Advanced Exam (CSPFA®) 9E0-111 Version 6.0 Jun 17th, 2003 21certify.com 9E0-111 Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything Latest Version We are constantly reviewing our products New material is added and old material is revised Free updates are available for 365 days after the purchase You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date Important Note: Please Read Carefully This 21certify Exam has been carefully written and compiled by 21certify Exams experts It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool Repeated readings will increase your comprehension We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties Please tell us what you think of this 21certify Exam We appreciate both positive and critical comments as your feedback helps us improve future versions We thank you for buying our 21certify Exams and look forward to supplying you with all your Certification training needs Good studying! 21certify Exams Technical and Support Team 21certify.com 9E0-111 Note: Section A contains 100 questions Section B contains 57 questions Section C contains 170 questions The total numbers of questions is 327 Section A Q.1 You are the network security administrator for an enterprise network with a complex security policy Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy? A ASA B Packet capture C Turbo ACLs D IP helper E Object grouping Answer: E Q.2 IPSec works with which switching paths: A Process switching B Optimum switching C Fast switching D Flow switching Answer: A Q.3 Speaking of Security Association requirements, which of the following statements is true? A A set of SAs are needed, one per direction, per protected data pipe B A set of SAa are needed, one per direction, per protocol, per protected data pipe C A set of SAs are needed, one per protocol only D A set of SAs are needed, per protocol, per protected data pipe Answer: B 21certify.com 9E0-111 Q.4 The graphic shows the output from the show failover command This unit is active and the other unit is Standby For an unknown reason, the failover is triggered and this unit has become Standby We enter the command “show failover” again What shall we see as the ip address of the [active-interface-inside]? A 172.29.1.2 B 192.168.89.1 C 0.0.0.0 D 172.29.1.1 Answer: D Q.5 Which of the following statements is not true regarding the DNS Guard? A If disabled, can be enabled by the command: fixed protocol dns 53 B The default UDP time expires in two minutes C Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received D Prevents against UDP session hijacking and denial of service attacks Answer: A Q.6 In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply) A To provide authentication services for the transform set, include an AH transform B For authentication services include an ESP authentication transform C To provide data authentication for the data and the outer IP header, include an AH transform D For data confidentiality include an ESP encryption transform E ND5 is stronger than SHA Answer: A, B, C, D Q.7 What is the command that enables IPSec traffic to bypass the check of conduit or access-group command statements? A conduit permit ip any any all B access-list acl_out permit tcp any any all access-group acl_out interface outside C sysopt connection permit-ipsec D conduit permit tcp any any all 21certify.com 9E0-111 Answer: C Q.8 All of the following statements are true, except: A Use nat command to let users on the respective interfaces start outbound connections Associate the nat id with the global-id in the global command B An interface is always outside when compared to another interface that has a higher security level C Use a single default route statement to the outside interface only Set the default route with the ip route command D To permit access to servers on protected networks, use the static conduit commands E Packets can not flow between interfaces that have the same security level Answer: C Q.9 Which of the following statements are not true: (Choose all that apply) A DMZ interface can be considered an inside, or outside interface B DMZ interface is always considered inside C Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists D Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed E DMZ interface is always considered outside Answer: B, E Q.10 Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall Choose the strict rules that ASA follows: (Choose all that apply) A The highest security interface is the inside interface B The highest security interface is the outside interface C No outbound packet can exit the PIX Firewall without a connection and state D No packet, regardless of its direction, can traverse the PIX Firewall without a connection or state E No inbound packet can enter the PIX Firewall without a connection and state Answer: A, D 21certify.com 9E0-111 Q.11 Which statements about the PIX Firewall in VoIP environments are true? (Choose two) A The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup B The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals C The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall D Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic Answer: B, C Q.12 Your organization’s web traffic has come to a halt because your PIX Firewall is dropping all new connection attempts Why? A You are running a software version older than 5.2, and the embryonic threshold you set in the static command was reached B The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat command was reached C The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic threshold you set in the static command was reached D The intrusion detection feature of the PIX Firewall has taken effect because the embryonic threshold you set in the conduit command was reached Answer: A Q.13 Which tasks can be performed from the Access Rules tab? (Choose three) A Configure translation rules B Configure Cisco Secure ACS C Configure access rules D Define Java and ActiveX filtering rules E Configure command authorization F Create service groups and apply them to ACLs Answer: C, D, F Q.14 Where in PDM you go to add, delete, or view global pools of addresses to be used by NAT? A Global Pools tab B System Properties tab 21certify.com 9E0-111 C Manage Pools button on the Translation Rules tab D IP Address Pools button on the VPN tab Answer: C Q.15 Which step is optional when creating a crypto map on the PIX Firewall? A Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence number B Specify which transform sets are allowed for this crypto map entry C Specify a dynamic crypto map to act as a policy template where the missing parameters are later dynamically configured to match a peer’s requirements D Assign an ACL to the crypto map entry E Specify the peer to which IPSec-protected traffic can be forwarded Answer: C Q.16 Which type of downloadable ACLs are best when there are frequent requests for downloading a large ACL? A Named ACLs B Unnamed ACLs C Dynamic ACLs D Static ACLs Answer: A Q.17 Why is the group tag in the aaa-server command important? A The aaa command references the group tag to know where to direct authentication, authorization, or accounting traffic B The group tag identifies which users require authorization to use certain services C The group tag identifies which user groups must authenticate D The group tag enables or disables user authentication services Answer: A 21certify.com 9E0-111 Q.18 You have already created an ACL named ACLIN to permit traffic from certain Internet hosts to the web server on your DMZ How you make the ACL work for you? (Choose two) A Bind the ACL to the DMZ interface B Bind the ACL to the inside interface C Bind the ACL to the outside interface D Create a static mapping for the DMZ server E Create a static mapping for the web server F Create a conduit mapping for the web server Answer: C, E Q.19 Cicso PDM consists of five major configuration areas Choose these areas A Monitoring B Hosts or networks C Access rules D System properties E Preferences F Translation rules Answer: A, B, C, D, F Q.20 How does the PIX Firewall know where to get the addresses to use for any NAT configuration? A From the nat_id in the static command B You can have only one global pool of addresses, so the PIX Firewall knows that NAT uses the addresses in the global pool established by the global command C From the nat_id in the nat command D From the nat_id in the dhcp address command Answer: C Q.21 What is the purpose of the access-group command? A Bind an ACL to an interface B Create an object group C Create and access group D Unbind the acl_ID from the interface interface_name 21certify.com 9E0-111 Answer: A Q.22 Which statements about security level 100 are true? (Choose two) A It is the lowest security level B It is the highest security level C It is the least-trusted security level D By default it is designated for the inside interface of the PIX Firewall E It is not currently a configurable security level It is reserved for future use F By default, it is designated for the outside interface of the PIX Firewall Answer: B, D Q.23 Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two) A It can be a DHCP server B It cannot be a DHCP client C You must remove a configured domain name D It can be a DHCP server and client simultaneously E It cannot pass configuration parameters it receives from another DHCP server to its own DHCP clients F The PIX Firewall’s DHCP server can be configured to distribute the IP address of up to four DNS servers to its clients Answer: A, D Q.24 The LAN-based failover your configured does not work Why? (Choose two) A You used a hub for failover operation B You used a switch for failover operation C You used a dedicated VLAN for failover operation D You did not set a failover IP address E You did not use a crossover Ethernet cable between the two PIX Firewalls F You used a crossover Ethernet cable between the two PIX Firewalls Answer: D, F Explanation: LAN-Based Failover It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch Do not use crossover cables In the diagram above, a Cisco Catalyst 3500 switch connects the Primary and Secondary PIXes The LAN failover and stateful failover links are in different VLANs, VLAN 10 and VLAN 20, respectively The inside-router and outside-router are used only for the sake of testing connectivity 21certify.com 9E0-111 10 Q.25 How are LAN-based failover and serial failover alike? A Both require that all configuration is performed on the primary PIX Firewall B Both require the use of a special serial cable C They are configured with the same command set D Both require two dedicated interfaces: one for configuration replication and another for stateful failover E Both provide stateful failover Answer: E Q.26 Choose the correct statements regarding ACLs & Conduits: A A conduit creates a rule on the PIX Firewall Adaptive Security Algorithm by denying connections from one interface to access hosts on another B An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level C An ACL applies to a single interface, affecting all traffic entering that interface based in its security level D A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another Answer: A Q.27 What is the command to remove a group of previously defined object-group commands? A Both answers are correct B clear object-group C Both answers are incorrect D no object-group Answer: A Q.28 With the IKE disabled, which of the following statements are true on a router? (Choose all that apply) A The peer’s IPSec SA will never time out for a given IPSec session B CA can not be used C The command to disable IKE is: no crypto isakmp D The user must manually define all the IPSec security associations in the crypto maps at all peers Answer: A, B, D Explanation: Disabling IKE To disable IKE, you will have to make these concessions at the peers: 21certify.com 9E0-111 75 Q.109 What is the purpose of the "logging trap" command? A Enables syslog traps B This is not a valid PIX command C Sends logs to a host named trap D Enables SMTP traps Answer: A Q.110 How you configure a pool of public IP addresses? A Global command B Pool command C NAT command D Static command Answer: A Q.111 PAT is not supported with the "fixup protocol rtsp" command A True B False Answer: A Q.112 You are required to have two crypto access-list for IPSec One is to identify outbound traffic to be encrypted, and the other is to identify inbound traffic that should be encrypted A False B True Answer: A Q.113 What is the purpose of authentication proxy? A Proxy of user logins B To enable AAA 21certify.com 9E0-111 76 C Policies on per user basis D For user accounting Answer: C Q.114 Which PIX interface(s) you apply the crypto map statements? A To the outside interface B To the inside interface C To any interfaces that IPSec packets will traverse D All PIX interfaces Answer: C Q.115 What three purposes does the failover cable serve? A Power status of the other unit B Communication link C Unit identification of both units D Stateful information Answer: A, B, C Q.116 You have a PIX firewall and you are only given one public IP address from your ISP to use on the PIX You not have any type of servers that need be accessed from the Internet What is a valid quick solution to your problem? A Get a new ISP B PAT C Request additional IP addresses from your ISP D NAT Answer: B Q.117 How many default routes can be assigned to the PIX firewall? A per network 21certify.com 9E0-111 B C As many as required D per interface E for the primary PIX and for the standby PIX Answer: B Q.118 Without stateful failover, how are active connections handled? A Connections are maintained between the PIX and the failover unit B Dropped C UDP connections are maintained D TCP connections are maintained Answer: B Q.119 What is the purpose of the "fixup protocol" commands? A To identify what protocols are permitted through the PIX B Change PIX firewall application protocol feature C To identify what protocols are to be blocked by the PIX D To map a protocol to a TCP or UDP port Answer: B Q.120 What version of IOS was the "ip port-map" command introduced? A 13.(1) B 12.1 C 11.0(1) D 12.05(t) Answer: D Q.121 What is the first step in configuring IPSec without CA? A Crypto B ISAKMP C IKE 21certify.com 77 9E0-111 78 D IPSEC Answer: C Q.122 How you delete the following PAM entry? IP port-map http port 81 A clear IP port-map http port 81 B This is a system-defined entry and cannot be deleted C no IP port-map http port 81 D delete IP port-map http port 81 Answer: C Q.123 What is the purpose of the outbound access-list for a CBAC solution? A To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out B Packets you want inspected by CBAC C The is no need for an outbound access-list in a CBAC solution D To identify legitimate inbound traffic from the Internet Answer: B Q.124 What does the " crypto access-list" command accomplish? A There are no such access list B They block non-encrypted traffic C They identify crypto map statements D Identifies which traffic is to be encrypted Answer: D Q.125 "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message A True B False Answer: A 21certify.com 9E0-111 79 Q.126 What is the layer-4 difference between Radius and TACACS+? A Radius uses TCP & TACACS+ uses UDP B Radius uses UDP & TACACS+ uses TCP C TACACS+ uses FTP & Radius uses TFTP D There is no layer-4 difference between Radius & TACACS+ Answer: B Q.127 What two concepts are included in data authentication? A Anti replay B Data origin authentication C Data integrity D Data confidentiality Answer: B, C Q.128 You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed The PIX firewall only shipped with Ethernet interfaces You install a new Ethernet interface that you ordered from Cisco After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network But users on the new network are unable to browse the Internet What else you need to do? A Enable the new interface in the configuration B Add the "conduit permit any any" statement to your configuration C Nothing The problem is probably with the clients workstations, not the PIX D Add the Cisco client proxy software to each workstation on the new network Answer: A Q.129 What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? A No security problems from running on top of other operating systems B PIX firewall is plug and play, no configuration required C PIX inspects on lower layer protocols D PIX does stateful packet inspections E One box solution Answer: A, C, D, E 21certify.com 9E0-111 Q.130 How many interfaces does the PIX 515R support? A B C D Answer: A Q.131 How you configure a PAT address? A Nat (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 B IP PAT (Outside) 1.1.1.1 255.255.255.255 C PAT (Outside) 1.1.1.1 255.255.255.255 D Global (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 Answer: D Q.132 What are the two transport layer protocols? A TCP B IP C ICMP D UDP Answer: A, D Q.133 How many hello packets must be missed before the failover unit will become active? A B C D Answer: A Q.134 Only one IPSec tunnel can exist between two peers A False 21certify.com 80 9E0-111 B True Answer: A Q.135 What are two purposes of NAT? A To build routing tables B To expedite packet inspection C To connect two separate interfaces D To conserve non-RFC1918 addresses E To hide internal servers and workstations real IP addresses from the Internet Answer: D, E Q.136 What does IKE Extended authentication provide? A Authentication of multiple IPSec peers B Auto-negotiation of IPSec security associations C User authentication using Radius/TACACS+ Answer: C Q.137 How you view active NAT translations? A show nat-translations B show ip-nat translations C show xlate D show translations * Answer: C Q.138 Access-list are supported with Radius authorization A True B False Answer: A 21certify.com 81 9E0-111 Q.139 How are transform sets selected in manually established security associations? A Transform sets are not used in manually established security associations B Manually established security associations only have one transform set C The first transform set is always used D The first common transform set is used Answer: B Q.140 What are the two licenses supported on the PIX515? A Unrestricted B Limited C Restricted D Unlimited Answer: A, C Q.141 What is the purpose of the "clear access-list" command? A Remove an access-list from an interface B To clear all access-list from the PIX C To clear all access-list counters D Invalid command Answer: B Q.142 At what layer of the OSI model does IPSec provide security? A B C D Answer: D Q.143 A transform set is a combination of _ & A access-list 21certify.com 82 9E0-111 B crypto maps C security protocols D algorithms Answer: C, D Q.144 AAA stands for authentication, authorization, & A application B accounting C access control D authenticity Answer: B Q.145 In CBAC, how are half-open sessions measured? A Both TCP & UPD half-open sessions are calculated B Only UDP half-open sessions are calculated C CBAC does not calculate half-open sessions D Only TCP half-open sessions are calculated Answer: A Q.146 What does DDOS stand for? A Distributed denial of service B Dedicated Department of Security C Dead, Denied, Out of Service D Demand denial of service Answer: A Q.147 What is the purpose of the "route 0" command? A To configure a static route B To enable routing on the PIX 21certify.com 83 9E0-111 84 C To configure a default route D To route between interfaces Answer: C Q.148 You establish an IPSec tunnel with a remote peer You verify by viewing the security associations You view the security associations two days later and find they are not there What is the problem? A This would not happen B You have used an incorrect command to view the security associations C Your PIX is not powered up D No traffic was identified to be encrypted Answer: D Q.149 In CBAC, where are dynamic access entries added? A A new access-list is configured for each access entry B At the beginning of the access-list C A separate access-list is created for access entries D At the end of the access-list Answer: B Q.150 How you identify a syslog server on the PIX? A logging host 10.1.1.1 B TFTP server 10.1.1.1 C syslog-server 10.1.1.1 D syslog server 10.1.1.1 Answer: A Q.151 CBAC inspection can only be configured in one direction A False B True 21certify.com 9E0-111 85 Answer: A Q.152 What is anti-replay? A IPSec peer will not accept old or duplicated packets B IPSec peer listens for all traffic from IPSec peer (at other end of tunnel), as to not require any resends C The IPSec peer sends duplicates of each packet as to not have to resend any packets D The IPSec peer will not resend packets Answer: A Q.153 During IPSec security associations negotiation, if there are multiple transform sets, which one is used? A Is does not matter B The first common one C The first one D The last one Answer: B Q.154 What three types of entries does the PAM table provide? A User defined B Internet specific C Host specific D System defined Answer: A, C, D Q.155 In AAA, what does the method keyword "local" mean? A That the AAA server is local B Deny if login request is local C Use the local database for authentication D Authenticate if login request is local 21certify.com 9E0-111 Answer: C Q.156 At what frequency does the PIX send hello packets to the failover unit? A 15 seconds B 60 seconds C seconds D 20 seconds Answer: A Q.157 What command deletes all authentication proxy entries? A Clear ip authentication-proxy cache B Clear ip authentication-proxy cache all C Clear ip authentication-proxy cache * D Clear authentication-proxy all entries Answer: C Q.158 What is the purpose of the access-group command? A To apply an access-list to an interface B This is not a valid command on the PIX firewall C To create an ACL D To group access-list together Answer: A Q.159 Default "fixup protocol" commands cannot be disabled A True B False Answer: B 21certify.com 86 9E0-111 Q.160 What is the purpose of a syslog server? A To host websites B To collect system messages C To maintain current backup configurations D To maintain URL filtering information Answer: B Q.161 What is required for stateful failover on the PIX 515? A Unrestricted software license B Cisco failover cable C Cisco IOS failover feature set D Ethernet interfaces interconnected Answer: A, B, D Q.162 In CBAC, what is a state table? A A table containing access-list information B A table containing information about the state of CBAC C A table containing information about the state of the packet's connection D A table containing routing information Answer: C Q.163 What two commands are needed for inbound access? A Static B Access-list C PAT D NAT Answer: A, B Q.164 What are some application layer protocols that CBAC can inspect? 21certify.com 87 9E0-111 88 A TFTP B TCP C SMTP D UDP E HTTP F FTP Answer: A, C, E, F Q.165 What does PAM for CBAC? A PAM allows CBAC to associate non-standard port numbers with specific protocols B PAM is required by CBAC to inspect traffic C PAM is an alternative to using CBAC for packet inspection D PAM is not compatible with CBAC Answer: A Q.166 What is the different about the PIX privileged access mode as opposed to the privileged access mode of a Cisco IOS router? A The "?" command does not work on the PIX B No difference C Each configuration command is automatically saved to flash D The ability to view the running configuration from the configuration mode Answer: D You can a show run from anywhere in the PIX and get the running configuration Ina IOS Router you can only it from router# (There is a way in the new IOS though to it in a router) If you wanted to it from router(config-if)# you would have to enter "do show run" But what they are looking for is D Q.167 When configuring ACL to identify traffic that requires encryption, two entries are needed One for inbound traffic and one for outbound traffic A True B False Answer: B 21certify.com 9E0-111 89 Q.168 How you change the activation key on the PIX? A Reset the PIX B With the checksum command C Copy a PIX image to the flash D The activation key cannot be changed Answer: C Q.169 How many interfaces does the PIX 506 support? A B C D Answer: B Q.170 What is CA? A Configured applications B Cisco authentication C Certificate authority D Command approval Answer: C Note: Section A contains 100 questions Section B contains 57 questions Section C contains 170 questions The total numbers of questions is 327 21certify.com ... installing the PIX- 4FE and PIX- VPN-ACCEL cards in a PIX Firewall 535 21certify.com 9E 0-1 11 26 model is true? A The PIX- VPN-ACCEL card must be installed in the 64-bit/22 MHz bus, and the PIX4 FE card... from the active PIX Firewall to the standby PIX Firewall D The active PIX Firewall replicates only the failover configuration to the standby PIX Firewall Answer: C 21certify.com 9E 0-1 11 24 Q.73... mean? A The active PIX Firewall is working and the standby PIX Firewall is ready B Monitoring the other PIX Firewall? ??s network interface has not yet started C The active PIX Firewall is waiting